(ITS#5266) "authorization failure: invalid authcid" during SASL auto_transition

Howard Chu hyc at highlandsun.com
Sat Dec 22 20:50:27 EST 2007 

(Resending, used wrong From address before, cc'd to openldap-its at openldap.org)

dwhite at olp.net wrote:
> Full_Name: Dan White
> Version: 2.3.39
> OS: Linux
> URL: http://support.olp.net/ldap/log2.txt
> Submission from: (NULL) (65.161.252.42)
> 
> 
> If I enable SASL auto_transition, I receive the following error during
> authentication:
> 
> SASL(-14): authorization failure: invalid authcid
> 
> I'm using openldap version 2.3.39 for both slapd and my ldap utils
> (ldapsearch).
> I'm using the bdb backend.
> 
> I'm also using Debian Etch with the following versions of software:
> 
> Cyrus SASL 2.1.22(.dfsg1-8)
> libdb 4.2.52(+dfsg-2)
> libc6 2.3.6(.ds1-13etch2)
> PAM 0.79(-4)
> pam_ldap 184(-2)
> 
> I'm using saslauthd's PAM backend, and in turn using pam_ldap for
> authentication, although I don't believe the problem is related to the
> saslauthd/pam configuration.
> 
> Here's the client side output from the attempted bind:
> 
> hiro:~# ldapsearch -LLL -Y PLAIN -U abrown at olp.net uid=n/a
> SASL/PLAIN authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Insufficient access (50)
>         additional info: SASL(-14): authorization failure: invalid authcid
> 
> If I turn off auto_transition, it works:
> 
> hiro:~# ldapsearch -LLL -Y PLAIN -U abrown at olp.net uid=n/a
> SASL/PLAIN authentication started
> Please enter your password:
> SASL username: abrown at olp.net
> SASL SSF: 0
> hiro:~#
> 
> My slapd.conf SASL service file looks like:
> 
> hiro:~# cat /usr/lib/sasl2/slapd.conf
> keytab: /etc/krb5.keytab-ldap
> pwcheck_method: saslauthd
> auxprop_plugin: slapd
> auto_transition: yes
> log_level: 7
> 
> And the server log (loglevel -1) is located at:
> 
> http://support.olp.net/ldap/log2.txt
> 
> The error appears to be occurring while transitioning the password to the
> auxprop store, in the slap_sasl_authorize function:
> 
>         /* Skip SLAP_SASL_PROP_CONN */
>         prop_getnames( props, slap_propnames+1, auxvals );
> 
>         /* Should not happen */
>         if ( !auxvals[0].values ) {
>                 sasl_seterror( sconn, 0, "invalid authcid" );
>                 return SASL_NOAUTHZ;
>         }
> 
> What I'm expecting to happen during the bind, is to have SASL overwrite my
> userPassword and cmusaslsecretOTP attributes, via the slapd auxprop plugin.
> 
> I have a lot of passwords in crypted form (which PAM authenticates), and I'm
> aiming towards a clear-text password store by using this functionality.

This is a bug in Cyrus SASL; the setpass function is zeroing out the 
connection state when it should be leaving it intact. The attached patch will 
fix the problem. (Verified using saslauthd and most of the above components.)
-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: dif.txt
Url: https://lists.andrew.cmu.edu/mailman/private/cyrus-sasl/attachments/20071222/916d5f89/attachment.txt

More information about the Cyrus-sasl mailing list